You Need to Enable Two-Factor Authentication… Today!

So a couple of nights ago, my partner noticed some suspicious activity on one of my son’s online accounts and having looked a little closer, she quickly discovered that someone was in fact accessing one of my son’s online accounts when they should not have been… As you would expect, my partner immediately told my son to change his password and thus prevented any harm from being done.

But all this could have been avoided – even though the person accessing my son’s online account actually had his password – if my son had previously enabled two-factor authentication.

But what is two-factor authentication?

Two-factor authentication (sometimes called two-step authentication, 2FA or login verification) is exactly what the name implies – a second “factor” of security when logging-in to something…

For example, if I login to my YouTube account, I need to enter my password (the first “factor”) and then a code of randomly-generated numbers from an application on my smartphone (the second “factor”). Other ways the second “factor” might apply is a randomly-generated code sent to you by text message, e-mail or telephone call; a randomly-generated code via a physical device; approval in an application (e.g. if you are trying to login to a new smartphone, a previously-used smartphone running the same operating system might ask you to “approve” the login); or a physical “token” (e.g. a USB device) which must be inserted into the computer you are using (not very common in consumer applications).

In essence, it’s like being given the key to the bank, but not the key to the vault itself – you are not going to get access to the bank’s stash of money without the second “factor” (i.e. the vault key) and someone is not going to get into your online accounts without the second “factor” applicable to the website/service/application/device they are trying to login to. In the case of my son, this person would not have been able to access my son’s online account without him, because this person would not have had access to the second “factor”.

This sounds like a lot of overkill… I don’t get “hacked”!

Are you kidding? Think long and hard about just how many companies, governments, organizations and websites have been hacked over the years… Apple, Facebook, Google, Nintendo, Sony, Microsoft, SnapChat, Amazon, Twitter, countless government departments (including a couple of Australian Government departments), various banks/financial institutions, eBay, Evernote, Target and countless others have all been “hacked”. In many cases, the passwords were partially or completely available to the hackers.

I encourage you to have a look at this Wikipedia entry, which has a rather lengthy list of companies/governments/organizations/websites which have been “hacked” over the years (though it may be incomplete for various reasons).

I don’t have anything to hide!

Well actually, you do. With just your name and date-of-birth, someone can Social Engineer their way into a lot of your personal affairs… Add your e-mail address and the list of things they can access gets even bigger. Maybe you have some saucy photos/videos you do not want to share with the world, or maybe you even have a few “skeletons” in your closet – guess what, it is all about to be shared with the world!

With two-factor authentication enabled in your online accounts, access to your online accounts is nearly impossible because even if one of your online accounts has been “hacked” and the password exposed, the hackers would not have access to your second “factor”… Nothing is perfect of course and under specific circumstances (for example, someone intercepting your text messages or telephone calls, etcetra), two-factor authentication can theoretically be broken – but this is beyond the skills of most hackers and unless you are someone super-important and/or wealthy (lucky you!), it is pretty unlikely a hacker with such skills is going to go to that much effort just for you.

For us peasants though, two-factor authentication gets you about as close to being “unhackable” as you realistically can get.

So who supports two-factor authentication then?

You would be surprised at just how many companies, governments, organizations and websites support two-factor authentication these days. Some examples include:

Amazon

Apple

Dropbox

Etsy

Evernote

Facebook

GOG.com

github

Google and “g Suite” (formerly “Google Apps”)

Kickstarter

myGov – most (all?) Australian Government accounts accessed via “myGov”

Nintendo

PayPal

ProtonMail

reddit

SnapChat

Sony Entertainment Network/PlayStation Network

Steam

Tumblr

Twitter

Twitch

WordPress

Although there may be entries missing (mostly due to the fact that this list is Community-maintained via github), I highly encourage you to have a look at this website and this website, which details many of the governments, companies, organizations and websites around the world supporting two-factor authentication… If there is something missing, feel free to create a github account and contribute to the list yourself (with regards to the first link).

Okay, how do I enable two-factor authentication?

The process varies, but you will usually find the option to enable two-factor authentication under your account or password settings; sometimes two-factor authentication may have its own option, and sometimes it may be found within an application/program instead (rather than on the respective website)(again, possibly under your account or password settings). In a small number of cases (such as banks and financial institutions), you may need to call the “customer service” telephone number for a government/company/organization/website and specifically request two-factor authentication be enabled on your account – if there is a charge for a physical “token” (as is usually the case with banks/financial institutions), pay it and thank me later.

Now the important stuff…

Nothing will make your account “100% unhackable”, not even two-factor authentication – but enabling two-factor authentication will get your online accounts awfully close to being “unhackable”.

In most cases, you will be given a set of “backup codes” when enabling two-factor authentication and these are exactly that – backup codes which can only be used once (each code), to get into your online account if you cannot provide the second “factor” (e.g. if you have lost your smartphone)… Save these somewhere on your computer, have a “hard” copy (that is, a printed or written copy) somewhere secure (e.g. in a safe or locked filing cabinet) and do not lose them – in many cases (though not all), you will not be able to re-gain access to your online account if you cannot access your second “factor” and you do not have a copy of your “backup codes”.

Do NOT save your “backup codes” online (e.g. in a “cloud” storage service) and do not e-mail them or otherwise transmit them over the Internet… There is simply too much risk and having access to these “backup codes” will usually give full access to your online accounts. Keep them offline at all times, and only transfer them between computers/devices manually (e.g. via USB).

Two-factor authentication is NOT an excuse for a weak password… You should still use “strong” passwords for everything (i.e. completely random, at least ten-characters, mixed case, numbers, letters and symbols), whilst having different passwords for everything – if you keep your passwords in an electronic “wallet” (e.g. KeePass, LastPass, eWallet, etcetra), do NOT save your electronic “wallet” online or transmit your electronic “wallet” over the Internet; keep it offline at all times.

Do yourself a favor – enable two-factor authentication and when your favorite website gets “hacked” next time, you can sleep soundly knowing it’s pretty unlikely the hacker will be able to access your account… Everyone else, well they won’t be so lucky.